In February 2017, security researchers confirmed that as many as 20 hackers were injecting code into WordPress sites that had not yet updated to the newly released version of the platform, 4.7.2. The flaw within the REST API, fixed by the January 26 update, was making it possible for unauthorized users to change content of any page or post. A week following the update, WordPress released details of the vulnerability; that delay allowed the majority of sites to upgrade, prior to cybercriminals having information about this point of entry within the code.
Following the announcement of the weakness by WordPress, and in turn by various news reports, a large number of website owners still did not implement the patch and were invaded. One analysis found that 67,000 pages published through the platform had been modified by attackers already by February 6.
This story is important because it lets us know it is necessary to quickly deploy any new updates, within the first week after their release; after that point, we are fending off the attempted intrusions that are certain to follow release of any specifics on the flaw. The report also is a general reminder that security is a key issue on WordPress since a wide number of users means a wide number of opportunities for hackers with a single exploit.
What can you do to protect your site? This article reviews general security controls advised by WordPress and provides specific steps suggested by leading third parties.
Security controls recommended by WordPress itself
Here are 6 basic ways to defend your site against attacks on the content management system (CMS), according to the official WordPress Codex:
Make it difficult to access. You do not want to have many users with administrative privileges. You also do not want hackers to have many possible ways to enter your site. One simple step is to limit how many web applications are active; clear out any themes and plugins that are not being used.
Separate everything. Beyond considering access, isolation of systems should also be a key point of focus. Consider multiple hosting accounts. Placing applications within different accounts (even if with the same provider) that have separate credentials will reduce your risk through infrastructural diversification. Shared hosting accounts should also be avoided.
Conduct regular backups. You want to back up the site often, and you also want to be sure that the backup process is working so that you can used one as needed to restore the site. You should have a disaster recovery plan that covers breaches as well as other major catastrophic events.
Keep updated. As is made clear by the attack described above, it is fundamental to deploy any new versions of the software immediately – along with any updates released for plugins and themes. As a way to check that these updates are made consistently, you can use an administrative control to simply verify them at preestablished intervals.
Be careful that all your developers are legitimate. The WordPress plugin and theme directories contains only work from trusted publishers. It is a particularly bad idea to try to locate a free version of a plugin or theme that costs money. Plugins may be “nulled” by nefarious individuals or groups, notes WordPress. These nulled varieties may come at no charge but “contain malicious code that will extend the premium plugin, but bundle it with malware that will allow them to hack your site.”
Stay current on WP security. You want to keep your core and add-ons updated, as noted above. You also want to generally stay informed of emerging security issues. That matters since WordPress, like other software, can always have flaws. Two ways to keep yourself abreast are with the WordPress Security tag and through the WPVulnDB database.
Step-to-step WP security improvement
Those controls are helpful but a bit broad. Here are specific additional steps you can take to defend yourself against compromise:
Change the admin username – When you install, you have the option to change the administrative username from “admin” to anything you want. Most WordPress hacking efforts are efforts directed at wp-admin or wp-login that apply brute force (see next step) using admin as username and a rapidfire barrage of guessed passwords. All you have to do to stop this style of compromise is to simply modify the administrative username –so that the hacker is effectively trying to access the account of a user that the system recognizes as no longer existing. Cybercriminals could potentially overcome this hurdle by implementing brute force in both the username and password fields, or they might be able to access the updated username. When addressing security, it helps to remember that you cannot remove all security weaknesses from your website but are simply minimizing them as much as you can.
Activate lockdown & block IPs – When someone uses an incorrect login repeatedly, they could be attempting a brute force attack. When login credentials are incorrect numerous times in a row, you could have your site become temporarily locked off from access; and have a notification sent your way. You can use a plugin to achieve that end. CodeinWP recommends iThemes Security after long-term use of it. The plugin allows you to block Internet Protocol (IP) addresses after a user has entered wrong information a specific number of times. Formerly called Better WP Security, this plugin has many fans; with a 4.7 out of 5 rating based on over 3000 user scores, it is free and updated regularly.
Use complex passwords – Passwords should be defined by the acronym CLU (complex, long, and unique). These attributes are built into the algorithms of password generators such as LastPass and 1Password, as indicated by the WP SEO firm Yoast. When you give a number of characters to one of these tools, it will automatically come up with a password that is both complex and original. Yoast suggests a length of 20 characters and trying to adjust for inclusion of less-often-used symbols such as the pound-sign (#) or asterisk (*).
Implement two-factor authentication – Use of two-factor authentication (2FA) will bolster security for any platform. You would have to enter the password and an additional piece of data; that second piece of information could be a numeric code generated by a phone app, the answer to a secret question, or some other factor.
Be conscientious about your choice of hosting service – Less than 1 in 12 WordPress sites is compromised based on a weak username or password, according to one analysis highlighted in Torque Magazine. A large chunk, 22 to 29%, are exploits of flaws in themes or plugins. Finally, a massive number, 41% (the source of the greatest number of successful attacks) are breaches of server-side defenses. Given that very compelling data, Torque suggests that “the first order of keeping WordPress safe is to use a reliable hosting provider that regularly updates their infrastructure and keeps security up to date.”
Security is complex, and you will need to take some steps on your own – going beyond what is suggested above through additional online advice articles (some of the best of which are linked within this article). Your partnerships are critical too, though: with 2 in 5 successful WordPress attacks resulting from poor server security, it is critical to prioritize your host.
At Total Server Solutions, our protective stance is underscored by our SSAE 16 Type II audit, showing that we meet the strict service-control standards developed by the American Institute of CPAs. See our security commitment.